Overview

overview

10

Static

static

3

JaffaCakes...5f.exe

windows7-x64

10

JaffaCakes...5f.exe

windows10-2004-x64

10

$APPDATA/c...60.dll

windows7-x64

1

$APPDATA/c...60.dll

windows10-2004-x64

1

$APPDATA/c...at.dll

windows7-x64

3

$APPDATA/c...at.dll

windows10-2004-x64

3

$APPDATA/t...60.dll

windows7-x64

1

$APPDATA/t...60.dll

windows10-2004-x64

1

$APPDATA/t...lc.exe

windows7-x64

3

$APPDATA/t...lc.exe

windows10-2004-x64

3

$TEMP/GuestRummy.dll

windows7-x64

3

$TEMP/GuestRummy.dll

windows10-2004-x64

3

$TEMP/_net...mp.dll

windows7-x64

1

$TEMP/_net...mp.dll

windows10-2004-x64

1

$TEMP/logo...60.dll

windows7-x64

1

$TEMP/logo...60.dll

windows10-2004-x64

1

$TEMP/logo...ui.dll

windows7-x64

1

$TEMP/logo...ui.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f

  • Size

    959KB

  • Sample

    241230-xdf9bstker

  • MD5

    3af10feddd3a827a7c7725fab1b97745

  • SHA1

    c34daf7dea4deb87305cb2a7d3147da38f77091b

  • SHA256

    38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f

  • SHA512

    c616ae06060fbfff228f294fb690fbb20af2f1230d592e1a3a020b084034d637cb7393c823d05e10c2eacabd06ab3ca4746953c4a77649693894b0d522396611

  • SSDEEP

    24576:8HmHBVbcOmTnszrGeTMFTgm227Zaz5r2pXFWyEL:2QI9yrGIMFTI2JLq

Score
10/10
remcoszzzzzzzzzzzzzzzzzzzzzzzznuevamentediscoveryrat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

zzzzzzzzzzzzZZZZZZZZZZZZNUEVAMENTE

C2

dominoduck2095.duckdns.org:9597

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Chrome.exe

  • copy_folder

    Chrome

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    system

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-NUTDL6

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      JaffaCakes118_38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f

    • Size

      959KB

    • MD5

      3af10feddd3a827a7c7725fab1b97745

    • SHA1

      c34daf7dea4deb87305cb2a7d3147da38f77091b

    • SHA256

      38dda5e4059a39cb4d766f65d84e8e02a7189bf50803c719af45403a1ee3c35f

    • SHA512

      c616ae06060fbfff228f294fb690fbb20af2f1230d592e1a3a020b084034d637cb7393c823d05e10c2eacabd06ab3ca4746953c4a77649693894b0d522396611

    • SSDEEP

      24576:8HmHBVbcOmTnszrGeTMFTgm227Zaz5r2pXFWyEL:2QI9yrGIMFTI2JLq

    Score
    10/10
    remcoszzzzzzzzzzzzzzzzzzzzzzzznuevamentediscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Blocklisted process makes network request

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      $APPDATA/closed/state/msie/76.opends60.dll

    • Size

      47B

    • MD5

      5c609f784597f9eb378920b5a7c90167

    • SHA1

      6baf15a0e0b5112640b7cf88c5faabada559506a

    • SHA256

      f62c88126fa73a21b956cdcede3e2bc32daf2579f3e088008b7f6195fb317965

    • SHA512

      2a17850f631485dac76c5c5afad0d04192067d4cd8ead93a7259bb67b2a1e2dcf02f64207da03ad70d8723e7f64e77538fa6dfe0ea1ab91af1bf8615548d0723

    Score
    1/10
    behavioral3behavioral4

    • Target

      $APPDATA/closed/state/msie/custsat.dll

    • Size

      33KB

    • MD5

      1ff80ebe5082a13d02253b415aa26f60

    • SHA1

      7da7551ec7f3f1e606edf9313595e4ebe45ac8d1

    • SHA256

      e0088b6361c7ea8e611ba32542beff7ac12955991c82a5fe9ef5d9a97d6ca14f

    • SHA512

      8c33e9427227835229d27f59206e55cd98c372e6a20981c6b0518a5f9b81c127b0f40276c21adac06a433c1947ab56f7f2166135d184dec1162b5071e3037e90

    • SSDEEP

      768:8UEt7dso9+bc7m+S45ii3iiHUM6cST2WENZ3gUpSS:LEZyoE/AtXUbcSSWENdgUV

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $APPDATA/typo3_src/poc/media_center/63.opends60.dll

    • Size

      49B

    • MD5

      b856569dd87788640393ce20050b7dff

    • SHA1

      78ff482a064cf41cee0fcc74802429279eaec9b2

    • SHA256

      d8e1df632b0358f4f36c8a1f67eb22d9697e8cf48de634a7d650c34ff1af85e5

    • SHA512

      caaaae98f9e42f4718e4ac312f59a63109193d50818f1fddcc54f1cfab916edab2d7dc2bf8ae53ccfdf47647a72c4fd221b973fd70fefc47b1082be4e02b32c9

    Score
    1/10
    behavioral7behavioral8

    • Target

      $APPDATA/typo3_src/poc/media_center/PermCalc.exe

    • Size

      28KB

    • MD5

      c2efc9fcbbf2d6952110fea17841b71e

    • SHA1

      4860494e79e88beacb0155584056699adb073f44

    • SHA256

      57f248daa64d83c215189a3d38b9692f93125273ee046328febe33e69df01ded

    • SHA512

      5aa7033b6b9de91c309554b354d47d63c08d15d4d5ebe4ac6e98e059873c74149c869dea731a2754ca31dee526f27221cd210555693e5f6886cc26d271f39ae0

    • SSDEEP

      384:xL8f6BoGrFTth3SAUnZV7OKAyXSKglWYbW:98iBoGxtSHqKgB

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      $TEMP/GuestRummy.dll

    • Size

      19KB

    • MD5

      fc2b4128dbe4d1885b5f3297b8d77e3d

    • SHA1

      239043c06a87fd038f242a240d64996acd7de8b9

    • SHA256

      95965a6f6a610d3cd68ab6f2eabdb2fb23c29db258761ea8b547c754fe11ce4e

    • SHA512

      a477136f2ebf89257197d86cd35b050e7fd0ad8cce97f3d532ac9749ddb9e4dfc9bce365543ab812b80a182f10f631bddb322bb9a89e745cb75a7116e2061f84

    • SSDEEP

      384:FVOKW3jnEacd8LPgp3e0ZsYGUBmcCR65o4yTEzCwa:vOKW3rEacd8rjYGUB

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      $TEMP/_net/admin.cgi/msddslmp.dll

    • Size

      40KB

    • MD5

      ee526797868d4ef8407045a78dfb8e72

    • SHA1

      c17ecf8ae4518c6120ad9f9e91ad66bba239ead5

    • SHA256

      e457bf97dedc3a13e4d07665bb559edafde145798057d8d48cc892adc7ad1960

    • SHA512

      6a849dad8efe88731b96d96947591c21530dea3484093275cbead0d163bd26bc460f8166a26778e201ac0fe54d6a25291d4a02079ef6d027a1a2e6902b293427

    • SSDEEP

      384:C7rvZs15uzKmqlTnM4P9sVqv1LRKWjoB4s0vLdnS3BXvVMMcZ/byN2DHpQ6uEAWf:CPZs1wz/q5lG03jThvZuEg

    Score
    1/10
    behavioral13behavioral14

    • Target

      $TEMP/logout/studio/59.opends60.dll

    • Size

      53B

    • MD5

      094581676228628668b2b30b1b61c63c

    • SHA1

      cd09890bb8da29edda4ee75d193fdcd2f042ce50

    • SHA256

      c02be33c378c6dc4f993a9fe83e88f265b19e81bdf13d56146f14add71c960cf

    • SHA512

      7078a08c819fa9fdfcabfb2d0c93b4b3aa8aa44dcfe3b28640651a55f6dc3ffb96e5c03e998930e52cad0afedc549aa260017bd2bd5b024e3eef52c2b76dc52e

    Score
    1/10
    behavioral15behavioral16

    • Target

      $TEMP/logout/studio/rcxditui.dll

    • Size

      5KB

    • MD5

      cc869c04e8771d08397dc86374fe5a5e

    • SHA1

      d7cd17b9607538dcdd6fc267ee504b37740992ff

    • SHA256

      420007c3e0a76ac880679f323653d3b9321832f578ca4dc1c2a1e5775a0f77dd

    • SHA512

      684114317ab54248d20727058f58e592cffee865e876b8155c4426ee71cf15bfacaee07e2c9ef49c8d3f99cf6f0e20ae8800d2df88f0550e5304ab39ba468ef4

    • SSDEEP

      48:KqiJ6OqhgmLwQpXMbqwcI65y7+OiaC+IZWo6zqhpm3F5WPWghnpgX:jOqhiZF6zSEWEOjWPVn0

    Score
    1/10
    behavioral17behavioral18

MITRE ATT&CK Enterprise v15

Tasks